The legislation was crafted with the best of intentions. Some 17 years ago, the U.S. federal government enacted the Sarbanes-Oxley Act to create better controls for and increase the visibility of financial operations. Sarbanes-Oxley — or SOX, in common vernacular — regulates the reporting behavior of public companies (and their supply-chain partners) doing business in the U.S. But when it comes to information security, by today’s standards, SOX falls short. Organizations that conflate SOX compliance with security will find themselves dangerously vulnerable to cyberattack.
Everything You Ever Wanted To Know About SOX (But Were Afraid To Ask)
SOX was a response to financial and accounting scandals. (Remember Enron, WorldCom, Tyco, and a little accounting firm called Arthur Andersen?) The act governs facets of corporate management functions, and — among other mandates — defines strict operating guardrails for public company boards, financial reporting and information security.
For American corporations (and even international enterprises with operations in the States), SOX compliance is non-negotiable. SOX auditing is a required, routine step of certifying financial statements like 10Qs or 10Ks for release.
SOX noncompliance penalties are severe, and a cottage industry of third-party-validated SOX-compliance services has popped up to provide comfort to senior management that everything’s going to be okay. There’s a SOX-compliance assurance solution for every corporate budget. (Can’t afford that big-six consulting firm? Consider the discount alternative.)
Ticking off the boxes on a SOX-compliance checklist may insulate your company and CEO from SEC-imposed financial penalties. But — despite what your board of directors might hope — SOX compliance won’t protect your enterprise. If you run a public company and you measure your level of information security by what your SOX auditors consider acceptable for public disclosure, you and your organization are vulnerable.
What Does Compliance Entail?
The drafted-two-decades-ago SOX regulations aim to ensure an organization employs information security best practices and state-of-the-art technology — at least by 2002 standards. SOX compliance signifies that you and your organization are, well, at least making an effort. Have you set up a firewall? Do you have DNS resolution? You’re compliant.
As any cybersecurity analyst will counsel, having a firewall doesn’t mean your enterprise is secure. SOX checkbox criteria are only a measure of (often minimal) effort: “Sure, we’re SOX compliant. We’ve got a firewall. I don’t know if it’s any good, mind you, but it’s there. Linda in IT usually remembers to turn it on, and did I mention we’re SOX compliant?”
Don’t Mistake Compliance For Security
With regard to SOX, there’s a common disconnect between what is mandated and what is secure. The Sarbanes-Oxley Act helped institute financial reporting and operational discipline in major enterprises. The SOX statutes governing information security establish guidelines for ensuring those corporations use security practices to protect information. Unfortunately, those practices are far from best by today’s standards and do little more than recognize the existence of some level of security, rather than gauge its efficacy.
Capital One, Equifax, Radisson, Arizona Beverages — they all had firewalls. They were undoubtedly all SOX compliant. And a lot of good it did them. Too many companies make a simple mistake that can prove to be devastating. Call it compliance complacency: assuming compliance is enough to guarantee information security. It’s not. Meeting SOX-compliance information security standards is better than nothing, but not by much. SOX compliance fails to constitute, arguably, even a bare minimum of care when it comes to information security. (If that’s the case with your publicly-traded company, I’ll leave it to you to debate corporate, fiscal, legal, and even disclosure responsibility with your board of directors.)
Innovative for its day, today SOX sets the bar too low for information security management. If you run IT for an enterprise with a SOX-compliance level of information security, and you truly want to protect your company’s data, resources and business model, you must embrace change:
• Change your culture. Recognize SOX compliance for what it is: a starting point, not a finish line. Institute processes and operations to ensure information security best practices throughout your organization.
• Change your standards. Aim higher than what the federal government requires. Start with establishing enterprise adherence to the (voluntary) NIST cybersecurity framework. Add in advanced threat protection like sandboxing, MFA, comprehensive SSL-encrypted-data inspection, dynamic DLP-monitoring and best-in-class threat identification.
• Change your practices. Establish dynamic internal audits and security standards covering the spectrum of security workflows, including authentication, data workflow management, change management, infrastructure architectural design, reporting, tracking, risk assessment, even damage remediation protocols. Processes, including audit methodologies, should be periodically reviewed and updated. Monthly. Or weekly. Or dynamically.
• Change where you put security. Perimeter security can’t contain or limit damage if your firewall is breached. Monitor your data dynamically as it flows through, in, and out of your enterprise and not just at point of entry/exit. (See also: CARTA, Zero Trust and ZTNA protocols.)
The Sarbanes-Oxley Act of 2002 has helped to reform what were once easily-exploitable corporate financial-reporting operations. But its standards for information security practices are woefully out of touch with the cybersecurity needs of the modern enterprise. Organizations must still adhere to SOX regulations, but they must also employ far more sophisticated security practices to protect their data, assets and resources from cyber threats.